Link List

Sponsored by..

Tuesday, 21 December 2010

This fake job offer originated from an IP address in Latvia (84.245.203.63) and solicits replies to a domain uk-resum.com registered in Russia. Most likely it is money laundering and/or a parcel reshipping scam. Also in this cluster are the domains usa-resum.com and resum-europe.com. It seems to be part of a long-running series of job scams going back several years.

If our proposition is attractive to you, please kindly send your details so that we can contact you: stewart@uk-resum.com
1) First Name:
2) Country of living
3) City
4) E-mail address:
5) Contact telephone number

Important! We deal with UK citizens only!

Please e-mail your name and phone number and we will invite you for interview.

jobsearch.co.uk is nothing to do with the scam, the email address is faked. The domain is registered to:

Monday, 20 December 2010

The recent Gawker media hack is probably related to a spate of malicious activity from 174.132.178.37, trying to log into forums, according to a couple of different reports on the web - [1][2] - and my own experience of someone trying to get into a forum, presumably with Gawker harvested credentials. The purpose is unknown, but the person behind it may well be trying to use established accounts to spam forums.

Here is a sample email that you might get:

Dear ----------,

Your account on ---------- has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 174.132.178.37

Don't forget that the password is case sensitive. Forgotten your password? Use the link below:
http://forums.----------.com/login.php?do=lostpw

I advise you to contact the web host responsible at abuse -at- theplanet.com with a copy of any evidence. Incidentally, the listed owner of that IP address (although remember that it may have hack) is:

Friday, 3 December 2010

worid-of-books.com is a fake book download site punting malicious executables. The strange name can be explained if you substitute the lowercase "i" with an uppercase one, giving worId-of-books.com which is presumably meant to fool people.

The site looks reasonably credible and appears to have about a million downloadable books, but they are not all that they seem to be. If you try to download a book, you get an EXE file instead of a PDF. What's in the EXE file? Well, malware of course! Detection is fairly patchy according to VirusTotal, but this appears to be a Cycbot variant.

Download it a second time and you actually do get a PDF file.. well, an 8 byte file that just says "PDF file" and nothing else. Subsequent attempts seem to fail with an error message of "We are sorry, this book is now being checked. Try to download it later!". It's pretty clear that worid-of-books.com is tracking visitors (perhaps by IP address) to stop them being able to repeat the infection.

Asociatia Family Network Connections / FAMILY-NETWORK is a Romanian network, and their AS49253 netblock seems to have suddenly turned evil.

The SiteVet report for this AS shows a sudden increase in recent weeks, with over 1500 sites that may be malicious included in the 95.64.110.0/23 block. Most of these evil sites are on just one host, 95.64.110.100. There may be some legitimate sites here, but probably too few to worry about.

Most sites registered here appeared to be Russian, some are registered through Chinese registars. The owner of this block is listed as: